Confirmed opt-in (COI) is a process by which a mailing list owner verifies that an opt-in request did in fact come from the owner of the email address and was therefore not spoofed, forged, typo'd or otherwise fraudulently subscribed. The essence of COI is that the subscriber MUST respond affirmatively to the initial message sent to their e-mail address or else they are NOT added to the list. COI ensures that all addresses are added to the list legitimately and only with the owner's permission. Note that simply sending a "welcome" message where the e-mail address owner is subscribed unless they take specific action in order to stop the mail is a form of "opt out" and does not fulfill the "opt in" standard required by Spamhaus' users.

For the user subscribing to a mailing list, COI is as simple as replying to an automated confirmation e-mail or clicking a link in an automated confirmation e-mail. In professional list management software, COI utilizes a unique token (sort of like a single-use password) passed from the list software to the would-be subscriber, and the subscriber returns the token to confirm their permission. Such "closed-loop confirmation" has been Best Current Practice in mailing list management software since about 1996. Software handles all the token transactions and maintains logs to document each and every subscription.

All professional mailing list management products support COI; some are proprietary and some are open-source (free). Communigate Pro, MajorDomo, EZMLM, MailMan, and Lyris are a few names of such products. Also check out PHPList and CivicRM. Perhaps the best advice we can offer is to engage a reputable Email Service Provider (ESP) which services your type and size of mailing list, and which understands and offers COI services.

See the next section of this FAQ, "What is the right way to send bulk e-mail?" for some additional links about Confirmed Opt In (COI).

What is the right way to send bulk e-mail?

This is intended only as a basic outline of what it takes to manage a legitimate bulk e-mail list. Seek expert advice from appropriate companies and consultants for a more complete understanding of the complicated issues of legitimate bulk e-mail. Remember, all bulk e-mail must be opt in, otherwise it is unsolicited. And Unsolicited Bulk E-mail (UBE) is spam!

1. Address acquisition - Make sure it's Opt In. E-pending is not Opt In. If the recipient didn't ask for it in the first place, the rest of the list management processes are irrelevant. While various transactions and business relationships can infer permission, if there's any doubt, or for any on-going bulk e-mail relationship, closed-loop Confirmed Opt In (COI) is the gold standard for verifying permission, in use since about 1996. Some examples of software which use COI include Majordomo-2, EZMLM, Mailman, and Lyris.

2. Truth in advertising - State your policies and the nature of the bulk e-mail at the point of subscription. Tell the subscriber what to expect: how often, how big, what kind, what topics and content, etc. Don't hide information about the subscription on remote pages, behind hyperlinks, or buried in jargon, legalese, and obfuscation.

3. Identify your company properly in the message itself and in Internet records. Use properly registered domains with working mail and web addresses. Every domain you use should identify your company and lead to a website identifying your company. Don't hide behind ever-changing mazes of domains (snowshoe spamming). Anonymized whois records just shout "hey, I'm trying to hide something!" So does using only an image for your name and address in the mail. Use proper SPF records and DKIM signatures. Domain and IP reputations affect each other. Mail server IPs should be identified with proper rDNS (PTR) and mail servers should identify themselves with a proper HELO value. Stand behind every message you send saying "we sent that mail and we accept responsibility for sending it." Make your online identity as solid as a brick-and-mortar business.

4. Maintenance - Keep your list current! Remove unsubscription requests and bounces promptly, as close to real-time as possible, no later than the same day. Mail the list at regular intervals. Unmailed lists provoke high complaint rates when they reactivate, even from truly opt-in addresses. Addresses "churn" over time, that is, they are abandoned or re-used. For most commercial lists, mail at least once per week and remove any address with three sequential bounces, or with sequential bounces for more than two weeks.

5. Bounce processing - Respect what the recipient's server tells you. SMTP "5xy" codes mean "No!" Bouncing your mail off the filters but showing up in the logs, or resuming spamming after filter rules come down, is a sure-fire way to really annoy server operators and mailbox owners alike. Addresses being converted to spamtraps will typically reject (5xy) all deliveries for about six months...you certainly don't want those on your list so make sure they bounce off!

Similarly, a receiver's TEMP FAIL response (4xy) should be respected by your server. All standards-compliant servers will automatically retry such deferred deliveries at increasing time intervals. Generally retries cease and the message is considered undeliverable after 5 days. The interval before pruning a deferred address from your list is usually longer and takes more bounces than a hard "5xy" rejection, but eventually such addresses should also be retired from your list.

6. Unsubscription must work! Promptly. And for all the bulk mail you're sending to that address. It must work via e-mail (include correct info in headers) and many subscribers also appreciate a web link included in message body. Sign up for feedback loops, and consider that abuse reports may indicate more serious problems than can be fixed by simply unsubscribing the reporting address. Some jurisdictions also require unsubscription via snail-mail. Basically, if someone wants off your list, help them with their request no matter how they ask.

7. Concurrency - Respect the receiving server's SMTP dialogue. If it says pipelining allowed, give it what it wants. If it says "try again later" (4xy), don't despair, let your server queue the message and do what good servers are supposed to do. If it accepts a bit slowly, throttle back your server so as not to flood smaller sites. Opening up lots of threads to a slow server is an excellent way to get tarpitted and blocked. (Good servers do all that stuff by default, automatically.)

8. Seek expert advice! There are highly qualified delivery consultants and some who aren't so qualified; buyer beware. Ask your ISP for advice. Consider using a reputable E-mail Service Provider (ESP) to send your mail and manage your lists. If any delivery consultant is not aware of the terms and problems in this very brief outline, or if they make promises that they can get you "whitelisted" at ISPs, well, again, caveat emptor! (No one but Spamhaus decides what IPs we list or remove from our lists. The only way to be removed is to fix the spam problem that caused the listing.)

No legitimate company will ever sell you a list of 'opt-in' email addresses. Anyone selling you lists of 'opt-in' email addresses is very simply a spam outfit. If you have been sold a list of email addresses which the seller promises are 'opt-in,' you have been conned. Selling third-party e-mail addresses is inherently contradictory to the concept of 'opt-in.'

Sending any bulk email to an address list purchased from a third party is guaranteed to get you in trouble for spamming, since none of the owners of the addresses on the purchased list gave you consent to subscribe them to your list.

All advertisements for lists of "opt-in email addresses" are fraudulent. No matter how legitimate the seller's web site looks, or how much the seller 'guarantees' or promises you the addresses are 'opt-in', never get suckered into buying any email address list.

Many spam outfits offer lists of 'opt-in' email addresses for sale and tell naive buyers that it is 'safe' to send bulk email to them. It never is. Inevitably purchased lists contain Spamtraps or generate complaints and the buyers find themselves blacklisted for spamming, then only after ruining their company names and losing their internet accounts they discover that the list seller's 'guarantee' was not worth a dime.

The Exception Which Proves The Rule is when a legitimate confirmed opt-in (COI) list is transferred from one owner to another owner, exclusively, such as in a company buyout, with all the subscription agreements retained including the topic of the list. COI records should be transferred as part of the agreement. That is obviously a special case, and very different from buying generic lists which are repeatedly resold to multiple buyers.

What about mailing our company's customer list?

We were recently asked a question about email lists which are not purchased and which were obtained with the best intentions but which have not been well maintained as frequently-mailed lists should be. It's an area that gets plenty of places in trouble and with many marketers attempting to "re-engage" old contacts, it's worth considering! Here's the question and our answer:

"We have a large list of emails from customers who have purchased from us over approximately one decade. They provided those emails as a method of online purchasing and to assist with customer support. Our company has never used email marketing in the past, however we are considering it now. In that context, we want to be sure that such email will be well received and follow all the rules. How do we go about that?"

Well, of course there are many different sets of rules and we suggest you follow all of them! Spamhaus' policies and advice are set out on this website. Your ISP has an Acceptable Use Policy in the Terms of Service agreement that is part of your contract with them, and and they universally prohibit spam (UBE). Your country probably also has laws governing spam and the use of private information such as email addresses, and the laws of the recipient's country may apply to your mailings, too, even if they are in another country! Here are some examples of those laws:

A primary question is how the addresses were obtained and whether there was any confirmation of the address owner's intentions at the time they were collected. A webform is good at collecting stuff that looks like "name@domain" but terrible at determining whether "name" really meant to subscribe, or even if it was really they who entered the address in the form.

Another problem is that addresses "churn" -- change owners or are
abandoned -- over time. Typical webmail addresses often are abandoned
within six months. A ten year old list without maintenance could
very well include domains which expired and were re-registered by
another party. It's even possible that such domains could be used as
spamtraps by Spamhaus or other filter services or researchers, and mailing spamtraps
causes many reputation problems.

If you have the dates email addresses were acquired, you can do a couple of things to help avoid problems. First, determine if you really need to send an email to an address you may not have contacted in say five, or ten, years. Does that person really want to hear from your company this long after the last contact? Second, do some work on these lists. Look at the @domains, check the domain Whois and see if it has been newly registered after your acquisition of the email address. If so, there's a very good chance this email address no longer belongs to your user or client. Get rid of all these addresses permanently. Many Email Service Providers (ESPs) have tools that automate these techniques.

A completely different problem is that the address owners, if they indeed are the actual original subscriber, may have very different expectations of what they gave you their address for than receiving bulk mail. If they only provided it for transactional purposes (e.g. receipt of a ticket or coupon) then adding it to a list to receive bulk email gives them a genuine complaint that such mail is unsolicited, and hence spam. In any case, they will be surprised to suddenly start receiving frequent messages from you and may perceive it poorly.

So, the pitfalls of mailing a list of unknown or indeterminate providence are plentiful and can lead to spam and resulting reputational, contractual and legal issues. Should you decide to pursue such a course despite those warnings, we strongly recommend that you engage a professional "Deliverability Consultant" to guide you. They can help review your list, weed out bad segments and obvious problems, and structure the mailing process and the content of the message to minimize problems. Most Email Service Providers (ESP) provide such services as an adjunct to their mailing services. (Choose ESPs carefully; not all are as reputable as they may claim.) Independent consultants may provide a higher level of expertise or have a different incentive regarding your service than an ESP.

What about E-pending (Email-appending)?

Email appending, e-pending, or "enriching" is the supplementation of existing email databases by cross-referencing them with information from other databases. The presumed goal is to add email addresses for customers or prospects for whom the sender has other information but not email. E-pending is not an opt-in process.

M3AAWG (formerly MAAWG) has published a very clear statement about e-pending: The practice of email appending is in direct violation of core MAAWG values. The Spamhaus Project fully agrees with MAAWG's position; we never have and never will support e-pending. Both e-pending services and marketers using e-pending to enlarge their audience risk being listed on our SBL blocklist.

What is Listwashing?

Listwashing is removing (or attempting to remove) spamtraps and email addresses of "complainers" from a list that is not opt-in, without removing other email addresses that also did not ask to receive email from you. In other words, it's an attempt to make an opt-out list (such as a purchased or email append list) "safe" to spam.

Some disreputable companies offer a service to remove "spamtraps, complainers, litigators and all other perceivable threats" from email marketing lists. They give the impression that you can just buy any old list of email addresses, and as long as you use their service, happily spam away without being caught by anti-spam systems. There are several problems with this, the first being that it goes against the best practices of building an email marketing list (see "opt-in" above). Also, these services simply do not work. Spamhaus frequently sees spam in its spamtraps from bulk emailers with "cleaned" opt-out lists. We treat that spam exactly as we do any other spam.

How should we handle unsubscribe and suppression lists?

The simple first obvious answer is: Do not ever email to them again. If temptation causes your company to consider this, think about the risk of doing so. It will probably annoy the person you are mailing against their wishes, and, depending on the jurisdiction, may be breaking the law. Neither is anything a legitimate business would want to do.

These lists, like all personally identifiable information in your possession, should be on a secure and "locked-down" server. Access to it should be limited to users who have a "need to know" rather than anyone in the company who may have a chance to copy or misuse them.

There is a better technical solution, as these opt-out addresses will never be emailed to again: don't keep them around as email addresses! Use a "one way hash" (Cryptographic hash function). By running these addresses through a hash such as the older MD5 or new SHA-3, the address cannot be recreated from the result, so you cannot accidentally mail them. But what one can do is check any new or imported addresses against these hashes.

The hashes can also be secured by adding a secret salt when creating the hash. We won't get into the technical details of changing addresses into salted-hashes, but this is a very well known technique and code to implement this is readily available. Once these hash lists are created, the original email address lists should be fully destroyed.

What is "double opt-in"?

We really don't know. Well, okay, what it is, is a term coined by some spammers many years ago. Sadly, it grew to be used by many to mean "confirmed opt-in" or "closed-loop opt-in".

But the language usage is wrong. One does not doubly opt-in for something do they? No. One opts-in, then confirms that single opt-in. No double.

The use of the term by legitimate marketers makes them sound somewhat new or uninformed.

If the recipient is given the choice to opt-out or remove, is it still spam?

Spam is Unsolicited Bulk Email. If you send any bulk email to a recipient who did not request it from you or did not give their prior and informed consent to be subscribed to your list via a "confirmed opt-in" or "closed-loop opt-in" method, you are spamming that recipient. Whether you offer an opt-out option in the message or not does not change the fact that the recipient has received Unsolicited Bulk Email, i.e: spam.

Nobody must ever be required to opt-out of anything they did not opt-in to in the first place. "Opt" is short for "option", and these people being mailed never had an original option if they did not request your emailings (and confirmed that request).

Given all the nasty and infectious material circulated by spammers, the endless tricks spammers employ to get users to click links to websites which on arrival infect their computers with Trojans, it can never be recommended that anyone click on any links in any unknown e-mail. Remove and opt-out links are generally ignored by people who receive these unknown e-mails. They know in most cases it's a waste of their time, and in many cases it just signs them up for more spam as it shows they are a "live email account" - or worse.

Note that most nation's anti-spam laws require a working opt-out system in bulk emails.

Spam is no worse than postal junk mail, is it?

Sending postal mail costs money to the sender, both to print and to deliver, so there is a monetary threshold that keeps every company in the country from sending lots of it. That threshold ensures that, while you may receive what you think is an irritating amount of junk, your postal mailbox is not completely flooded with it.

Email, on the other hand, costs next to nothing to the sender therefore there is no monetary barrier or incremental cost-per-message to deter how much email spam can be sent. With this in mind, here's the problem:

There are over 30,000,000 businesses in North America alone. If sending postal junk mail cost nothing to print or to deliver and therefore each North American business could freely send you one item of postal junk mail per month, you personally would receive nearly 100,000 items of postal junk mail each and every day. Obviously your post mailbox would not cope even with a tiny fraction of that nor could you opt out as fast as they came in. Luckily, print and postal delivery costs prevent that ever occurring. But not so with junk email.

Very simply, spam does not scale. There is no way for a recipient to say "I will accept only 4 items of spam per day and no more" since there is no mechanism to force millions of junk senders to stop sending after the recipient's daily quota has been reached. Nor is there any mechanism to force spam senders to not send more than one spam per month to each recipient. Nor is there any mechanism to limit who can send spam to your email address. The Internet is international -- can only North American businesses send you spam? How about South American businesses? And European businesses? What about businesses in Asia or Africa, are they not allowed to send spam to you as well?

If you agree to accept spam as an advertising medium, then you automatically agree that every business in the world can send spam to your email addresses. As you have no way to limit who can send you spam, you are therefore agreeing to receive bulk email advertisements from a potential 200,000,000 businesses worldwide. Assuming each only sends you one spam per month you would receive 6,600,000 spams per day... meaning 4,500 spams per minute, or 150 spams per second, into your email mailbox. Many businesses would like to send you much more than one advert per month, possibly more than one per day! So how do you solve this problem?

The obvious solution is to limit who can send bulk email advertisements to you, so that you only receive the bulk email you actually want to receive. Instead of agreeing to receive millions of unsolicited bulk emails from millions of senders, the solution is to instead opt to receive only bulk emails from specific lists you want and consent (<a href="http://www.spamhaus.org/faq/section/Marketing%20FAQs#15">COI</a>) to subscribe to. That is what is called "Opt-in", and is what Spamhaus advocates and works to lobby world governments to legislate.

But the Direct Marketing Association (DMA) says spamming is okay?

Unfortunately the USA's Direct Marketing Association wrongly advises DMA members that the sending of unsolicited bulk email (AKA spam) is an 'acceptable marketing practice'. This extremely bad advice by the DMA has tricked many DMA members into spamming and consequently damaged the communications and reputations of companies who believed they were following correct advice.

Sending unsolicited bulk email is never acceptable. It is against the Terms of Business (Acceptable Use Policy, "AUP") of all Internet Service Providers worldwide, therefore the DMA's advice to their members is to break their ISP's Terms of Conditions (legal contracts which say the customer's account will be terminated if they send UBE).

Sending unsolicited bulk email is also against the well-published policies of all of the Internet's anti-spam systems worldwide, including Spamhaus. It gets the sender immediately listed on spam list databases (such as the Spamhaus SBL) used by the vast majority of internet networks and spam filter systems.

The long-term damage to a business' reputation caused by following the DMA's bad advice is serious. Following the DMA's advice causes businesses to be blacklisted for spamming which also means disruption of the businesses' email communications.

As well as being in conflict with international spam laws, the DMA's advice to its members is in direct conflict with Spamhaus's advice and coincides with the Spamhaus Block List (SBL) listing policy which states that anyone knowingly sending unsolicited bulk email will be listed on the SBL for spamming.

It must be stressed that this bad and irresponsible advice is given out only by the American DMA and is contrary to the correct advice of other international DMA organizations including the Australian, Canadian and European DMAs, all of which endorse opt-in policies only.

Any Important Documents for Email Marketing Firms to read?

Yes! All firms engaged in marketing via email should read the following documents: